Solved: WLC 9800 Users being asked to reconsent on LWA

ts7575 · ‎08-08-2023

Hello,

I am using a Cisco WLC 9800 with software version 17.9.3. My access points are 2700's and 3800's and are in local mode. I implemented a consent page with LWA around two months ago. For the first month and a half, except for a few rare issues, we had no issues and clients were happy. Recently clients have begun complaining about needing to reconsent every day. Sometimes they need to reconsent at random times throughout the day. But it mostly happens when their device goes to sleep or they roam from one building to another.

Here are some of our parameters:

Sleeping Client Timer: 43200

Session Timeout: 86400

Idle Timeout: 3600

Additionally, many of the clients reporting the issue are getting this message when I checked the debug analyzer:

"Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_GROUP_KEY_UPDATE_TIMEOUT. Explanation: Client did not complete Broadcast key rotation. This may happen if client was sleeping or out of coverage. Actions: None required, as it may happen on normal scenarios. If issue persists, collect RA trace and over the air capture"
This message seems to appear before clients are asked to consent again.

Thankyou for the help.

ts7575 · ‎08-08-2023

I increased the EAPOL-Key Timeout to 5000 ms and the EAPOL-Key Max Retries to 4 and decreased the idle timeout to the minimum 15 seconds. It seems to be working so far and clients are being saved to the sleeping client database before being deleted.

View solution in original post

ts7575 · ‎08-08-2023

Here is a more detailed debug:

2023/08/08 17:20:10.627	client-auth	Initiated layer 3 authentication with local web-auth
2023/08/08 18:13:28.867	client-keymgmt	Reached maximum retries for M5
2023/08/08 18:13:38.867	client-orch-sm	Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_GROUP_KEY_UPDATE_TIMEOUT. Explanation: Client did not complete Broadcast key rotation. This may happen if client was sleeping or out of coverage. Actions: None required, as it may happen on normal scenarios. If issue persists, collect RA trace and over the air capture

It seems like when the client goes to sleep or out of range of an access point, it no longer receives the group key update which results in the client being deleted. Is there a way to adjust this so the client is saved to the sleeping clients list?

To add, I am using WPA2 w/PSK.

marce1000 · ‎08-08-2023

- Disable FT (Fast Transition) completely from that WLAN, FT will not save that much of time if the WLAN is PSK.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ts7575 · ‎08-08-2023

Sorry I didn't include that. I already disabled that because it had caused some problems in the past as well.

JPavonM · ‎08-08-2023

In this case you maybe benefit from lowering broadcast key rotation to a higher value, maybe something like 15-18 hours. Do not use 24 hours or users connecting to the WLAN on the afternoon will be asked again on next afternoon.

Check current values with this command and tune the highlighted value accordly:

controller# show run all | i wireless security
wireless security dot1x eapol-key retries 2
wireless security dot1x eapol-key timeout 1000
wireless security dot1x group-key interval 54000
wireless security dot1x identity-request retries 2
wireless security dot1x identity-request timeout 30
no wireless security dot1x max-login-ignore-identity-response
wireless security dot1x request retries 2
wireless security dot1x request timeout 30
wireless security web-auth retries 3

ts7575 · ‎08-08-2023

I increased the EAPOL-Key Timeout to 5000 ms and the EAPOL-Key Max Retries to 4 and decreased the idle timeout to the minimum 15 seconds. It seems to be working so far and clients are being saved to the sleeping client database before being deleted.